1 <?xml version="1.0" encoding="utf-8"?>
2 <database name="ovn-nb" title="OVN Northbound Database">
4 This database is the interface between OVN and the cloud management system
5 (CMS), such as OpenStack, running above it. The CMS produces almost all of
6 the contents of the database. The <code>ovn-northd</code> program
7 monitors the database contents, transforms it, and stores it into the <ref
8 db="OVN_Southbound"/> database.
12 We generally speak of ``the'' CMS, but one can imagine scenarios in
13 which multiple CMSes manage different parts of an OVN deployment.
19 Each of the tables in this database contains a special column, named
20 <code>external_ids</code>. This column has the same form and purpose each
25 <dt><code>external_ids</code>: map of string-string pairs</dt>
27 Key-value pairs for use by the CMS. The CMS might use certain pairs, for
28 example, to identify entities in its own configuration that correspond to
29 those in this database.
33 <table name="NB_Global" title="Northbound configuration">
35 Northbound configuration for an OVN system. This table must have exactly
39 <group title="Status">
40 These columns allow a client to track the overall configuration state of
43 <column name="nb_cfg">
44 Sequence number for client to increment. When a client modifies any
45 part of the northbound database configuration and wishes to wait for
46 <code>ovn-northd</code> and possibly all of the hypervisors to finish
47 applying the changes, it may increment this sequence number.
50 <column name="sb_cfg">
51 Sequence number that <code>ovn-northd</code> sets to the value of <ref
52 column="nb_cfg"/> after it finishes applying the corresponding
53 configuration changes to the <ref db="OVN_Southbound"/> database.
56 <column name="hv_cfg">
57 Sequence number that <code>ovn-northd</code> sets to the smallest
58 sequence number of all the chassis in the system, as reported in the
59 <code>Chassis</code> table in the southbound database. Thus, <ref
60 column="hv_cfg"/> equals <ref column="nb_cfg"/> if all chassis are
61 caught up with the northbound configuration (which may never happen, if
62 any chassis is down). This value can regress, if a chassis was removed
63 from the system and rejoins before catching up.
67 <group title="Common Columns">
68 <column name="external_ids">
69 See <em>External IDs</em> at the beginning of this document.
74 <table name="Logical_Switch" title="L2 logical switch">
76 Each row represents one L2 logical switch.
80 There are two kinds of logical switches, that is, ones that fully
81 virtualize the network (overlay logical switches) and ones that provide
82 simple connectivity to a physical network (bridged logical switches).
83 They work in the same way when providing connectivity between logical
84 ports on same chasis, but differently when connecting remote logical
85 ports. Overlay logical switches connect remote logical ports by tunnels,
86 while bridged logical switches provide connectivity to remote ports by
87 bridging the packets to directly connected physical L2 segment with the
88 help of <code>localnet</code> ports. Each bridged logical switch has
89 one and only one <code>localnet</code> port, which has only one special
90 address <code>unknown</code>.
95 A name for the logical switch. This name has no special meaning or purpose
96 other than to provide convenience for human interaction with the ovn-nb
97 database. There is no requirement for the name to be unique. The
98 logical switch's UUID should be used as the unique identifier.
102 <column name="ports">
104 The logical ports connected to the logical switch.
108 It is an error for multiple logical switches to include the same
113 <column name="load_balancer">
114 Load balance a virtual ipv4 address to a set of logical port endpoint
119 Access control rules that apply to packets within the logical switch.
122 <group title="Common Columns">
123 <column name="external_ids">
124 See <em>External IDs</em> at the beginning of this document.
129 <table name="Logical_Switch_Port" title="L2 logical switch port">
131 A port within an L2 logical switch.
134 <group title="Core Features">
137 The logical port name.
141 For entities (VMs or containers) that are spawned in the hypervisor,
142 the name used here must match those used in the <ref key="iface-id"
143 table="Interface" column="external_ids" db="Open_vSwitch"/> in the
144 <ref db="Open_vSwitch"/> database's <ref table="Interface"
145 db="Open_vSwitch"/> table, because hypervisors use <ref key="iface-id"
146 table="Interface" column="external_ids" db="Open_vSwitch"/> as a lookup
147 key to identify the network interface of that entity.
151 For containers that share a VIF within a VM, the name can be any
152 unique identifier. See <code>Containers</code>, below, for more
159 Specify a type for this logical port. Logical ports can be used to
160 model other types of connectivity into an OVN logical switch. The
161 following types are defined:
165 <dt>(empty string)</dt>
167 A VM (or VIF) interface.
170 <dt><code>router</code></dt>
172 A connection to a logical router.
175 <dt><code>localnet</code></dt>
177 A connection to a locally accessible network from each
178 <code>ovn-controller</code> instance. A logical switch can only
179 have a single <code>localnet</code> port attached. This is used
180 to model direct connectivity to an existing network.
183 <dt><code>l2gateway</code></dt>
185 A connection to a physical network.
188 <dt><code>vtep</code></dt>
190 A port to a logical switch on a VTEP gateway.
196 <group title="Options">
197 <column name="options">
198 This column provides key/value settings specific to the logical port
199 <ref column="type"/>. The type-specific options are described
203 <group title="Options for router ports">
205 These options apply when <ref column="type"/> is <code>router</code>.
208 <column name="options" key="router-port">
209 Required. The <ref column="name"/> of the <ref
210 table="Logical_Router_Port"/> to which this logical switch port is
215 <group title="Options for localnet ports">
217 These options apply when <ref column="type"/> is
218 <code>localnet</code>.
221 <column name="options" key="network_name">
222 Required. The name of the network to which the <code>localnet</code>
223 port is connected. Each hypervisor, via <code>ovn-controller</code>,
224 uses its local configuration to determine exactly how to connect to
225 this locally accessible network.
229 <group title="Options for l2gateway ports">
231 These options apply when <ref column="type"/> is
232 <code>l2gateway</code>.
235 <column name="options" key="network_name">
236 Required. The name of the network to which the <code>l2gateway</code>
237 port is connected. The L2 gateway, via <code>ovn-controller</code>,
238 uses its local configuration to determine exactly how to connect to
242 <column name="options" key="l2gateway-chassis">
243 Required. The chassis on which the <code>l2gateway</code> logical
244 port should be bound to. <code>ovn-controller</code> running on the
245 defined chassis will connect this logical port to the physical network.
250 <group title="Options for vtep ports">
252 These options apply when <ref column="type"/> is <code>vtep</code>.
255 <column name="options" key="vtep-physical-switch">
256 Required. The name of the VTEP gateway.
259 <column name="options" key="vtep-logical-switch">
260 Required. A logical switch name connected by the VTEP gateway.
264 <group title="VMI (or VIF) Options">
266 These options apply to logical ports with <ref column="type"/> having
270 <column name="options" key="policing_rate">
271 If set, indicates the maximum rate for data sent from this interface,
272 in kbps. Data exceeding this rate is dropped.
275 <column name="options" key="policing_burst">
276 If set, indicates the maximum burst size for data sent from this
282 <group title="Containers">
284 When a large number of containers are nested within a VM, it may be too
285 expensive to dedicate a VIF to each container. OVN can use VLAN tags
286 to support such cases. Each container is assigned a VLAN ID and each
287 packet that passes between the hypervisor and the VM is tagged with the
288 appropriate ID for the container. Such VLAN IDs never appear on a
289 physical wire, even inside a tunnel, so they need not be unique except
290 relative to a single VM on a hypervisor.
294 These columns are used for VIFs that represent nested containers using
295 shared VIFs. For VMs and for containers that have dedicated VIFs, they
299 <column name="parent_name">
300 The VM interface through which the nested container sends its network
301 traffic. This must match the <ref column="name"/> column for some
302 other <ref table="Logical_Switch_Port"/>.
307 The VLAN tag in the network traffic associated with a container's
312 When <ref column="type"/> is set to <code>localnet</code>, this can
313 be set to indicate that the port represents a connection to a
314 specific VLAN on a locally accessible network. The VLAN ID is used to
315 match incoming traffic and is also added to outgoing traffic.
320 <group title="Port State">
322 This column is populated by <code>ovn-northd</code>, rather than by the
323 CMS plugin as is most of this database. When a logical port is bound
324 to a physical location in the OVN Southbound database <ref
325 db="OVN_Southbound" table="Binding"/> table, <code>ovn-northd</code>
326 sets this column to <code>true</code>; otherwise, or if the port
327 becomes unbound later, it sets it to <code>false</code>. This allows
328 the CMS to wait for a VM's (or container's) networking to become active
329 before it allows the VM (or container) to start.
332 <column name="enabled">
333 This column is used to administratively set port state. If this column
334 is empty or is set to <code>true</code>, the port is enabled. If this
335 column is set to <code>false</code>, the port is disabled. A disabled
336 port has all ingress and egress traffic dropped.
341 <group title="Addressing">
342 <column name="addresses">
344 Addresses owned by the logical port.
348 Each element in the set must take one of the following forms:
352 <dt><code>Ethernet address followed by zero or more IPv4 or IPv6 addresses (or both)</code></dt>
355 An Ethernet address defined is owned by the logical port.
356 Like a physical Ethernet NIC, a logical port ordinarily has
357 a single fixed Ethernet address.
361 When a OVN logical switch processes a unicast Ethernet frame
362 whose destination MAC address is in a logical port's <ref
363 column="addresses"/> column, it delivers it only to that port, as
364 if a MAC learning process had learned that MAC address on the
369 If IPv4 or IPv6 address(es) (or both) are defined, it indicates
370 that the logical port owns the given IP addresses.
374 If IPv4 address(es) are defined, the OVN logical switch uses this
375 information to synthesize responses to ARP requests without
376 traversing the physical network. The OVN logical router connected
377 to the logical switch, if any, uses this information to avoid
378 issuing ARP requests for logical switch ports.
382 Note that the order here is important. The Ethernet address must
383 be listed before the IP address(es) if defined.
391 <dt><code>80:fa:5b:06:72:b7</code></dt>
393 This indicates that the logical port owns the above mac address.
396 <dt><code>80:fa:5b:06:72:b7 10.0.0.4 20.0.0.4</code></dt>
398 This indicates that the logical port owns the mac address and two
402 <dt><code>80:fa:5b:06:72:b7 fdaa:15f2:72cf:0:f816:3eff:fe20:3f41</code></dt>
404 This indicates that the logical port owns the mac address and
408 <dt><code>80:fa:5b:06:72:b7 10.0.0.4 fdaa:15f2:72cf:0:f816:3eff:fe20:3f41</code></dt>
410 This indicates that the logical port owns the mac address and
411 1 IPv4 address and 1 IPv6 address.
416 <dt><code>unknown</code></dt>
418 This indicates that the logical port has an unknown set of Ethernet
419 addresses. When an OVN logical switch processes a unicast Ethernet
420 frame whose destination MAC address is not in any logical port's
421 <ref column="addresses"/> column, it delivers it to the port (or
422 ports) whose <ref column="addresses"/> columns include
423 <code>unknown</code>.
428 <column name="port_security">
430 This column controls the addresses from which the host attached to the
431 logical port (``the host'') is allowed to send packets and to which it
432 is allowed to receive packets. If this column is empty, all addresses
437 Each element in the set must begin with one Ethernet address.
438 This would restrict the host to sending packets from and receiving
439 packets to the ethernet addresses defined in the logical port's
440 <ref column="port_security"/> column. It also restricts the inner
441 source MAC addresses that the host may send in ARP and IPv6
442 Neighbor Discovery packets. The host is always allowed to receive packets
443 to multicast and broadcast Ethernet addresses.
447 Each element in the set may additionally contain one or more IPv4 or
448 IPv6 addresses (or both), with optional masks. If a mask is given, it
449 must be a CIDR mask. In addition to the restrictions described for
450 Ethernet addresses above, such an element restricts the IPv4 or IPv6
451 addresses from which the host may send and to which it may receive
452 packets to the specified addresses. A masked address, if the host part
453 is zero, indicates that the host is allowed to use any address in the
454 subnet; if the host part is nonzero, the mask simply indicates the size
455 of the subnet. In addition:
461 If any IPv4 address is given, the host is also allowed to receive
462 packets to the IPv4 local broadcast address 255.255.255.255 and to
463 IPv4 multicast addresses (224.0.0.0/4). If an IPv4 address with a
464 mask is given, the host is also allowed to receive packets to the
465 broadcast address in that specified subnet.
469 If any IPv4 address is given, the host is additionally restricted
470 to sending ARP packets with the specified source IPv4 address.
471 (RARP is not restricted.)
477 If any IPv6 address is given, the host is also allowed to receive
478 packets to IPv6 multicast addresses (ff00::/8).
482 If any IPv6 address is given, the host is additionally restricted
483 to sending IPv6 Neighbor Discovery Solicitation or Advertisement
484 packets with the specified source address or, for solicitations,
485 the unspecified address.
491 If an element includes an IPv4 address, but no IPv6 addresses, then
492 IPv6 traffic is not allowed. If an element includes an IPv6 address,
493 but no IPv4 address, then IPv4 and ARP traffic is not allowed.
497 This column uses the same lexical syntax as the <ref column="match"
498 table="Pipeline" db="OVN_Southbound"/> column in the OVN Southbound
499 database's <ref table="Pipeline" db="OVN_Southbound"/> table. Multiple
500 addresses within an element may be space or comma separated.
504 This column is provided as a convenience to cloud management systems,
505 but all of the features that it implements can be implemented as ACLs
506 using the <ref table="ACL"/> table.
514 <dt><code>80:fa:5b:06:72:b7</code></dt>
516 The host may send traffic from and receive traffic to the specified
517 MAC address, and to receive traffic to Ethernet multicast and
518 broadcast addresses, but not otherwise. The host may not send ARP or
519 IPv6 Neighbor Discovery packets with inner source Ethernet addresses
520 other than the one specified.
523 <dt><code>80:fa:5b:06:72:b7 192.168.1.10/24</code></dt>
525 This adds further restrictions to the first example. The host may
526 send IPv4 packets from or receive IPv4 packets to only 192.168.1.10,
527 except that it may also receive IPv4 packets to 192.168.1.255 (based
528 on the subnet mask), 255.255.255.255, and any address in 224.0.0.0/4.
529 The host may not send ARPs with a source Ethernet address other than
530 80:fa:5b:06:72:b7 or source IPv4 address other than 192.168.1.10.
531 The host may not send or receive any IPv6 (including IPv6 Neighbor
535 <dt><code>"80:fa:5b:12:42:ba", "80:fa:5b:06:72:b7 192.168.1.10/24"</code></dt>
537 The host may send traffic from and receive traffic to the
538 specified MAC addresses, and
539 to receive traffic to Ethernet multicast and broadcast addresses,
540 but not otherwise. With MAC 80:fa:5b:12:42:ba, the host may
541 send traffic from and receive traffic to any L3 address.
542 With MAC 80:fa:5b:06:72:b7, the host may send IPv4 packets from or
543 receive IPv4 packets to only 192.168.1.10, except that it may also
544 receive IPv4 packets to 192.168.1.255 (based on the subnet mask),
545 255.255.255.255, and any address in 224.0.0.0/4. The host may not
546 send or receive any IPv6 (including IPv6 Neighbor Discovery) traffic.
552 <group title="Common Columns">
553 <column name="dhcpv4_options">
554 This column defines the DHCPv4 Options to be included by the
555 <code>ovn-controller</code> when it replies to the DHCPv4 requests.
556 Please see the <ref table="DHCP_Options"/> table.
559 <column name="external_ids">
560 See <em>External IDs</em> at the beginning of this document.
565 <table name="Address_Set" title="Address Sets">
567 Each row in this table represents a named set of addresses.
568 An address set may contain Ethernet, IPv4, or IPv6 addresses
569 with optional bitwise or CIDR masks.
570 Address set may ultimately be used in ACLs to compare against
571 fields such as <code>ip4.src</code> or <code>ip6.src</code>.
572 A single address set must contain addresses of the
573 same type. As an example, the following would create an address set
574 with three IP addresses:
578 ovn-nbctl create Address_Set name=set1 addresses='10.0.0.1 10.0.0.2 10.0.0.3'
582 Address sets may be used in the <ref column="match" table="ACL"/> column
583 of the <ref table="ACL"/> table. For syntax information, see the details
584 of the expression language used for the <ref column="match"
585 table="Logical_Flow" db="OVN_Southbound"/> column in the <ref
586 table="Logical_Flow" db="OVN_Southbound"/> table of the <ref
587 db="OVN_Southbound"/> database.
591 A name for the address set. This must be unique among all address sets.
594 <column name="addresses">
595 The set of addresses in string form.
598 <group title="Common Columns">
599 <column name="external_ids">
600 See <em>External IDs</em> at the beginning of this document.
605 <table name="Load_Balancer" title="load balancer">
607 Each row represents one load balancer.
612 A map of virtual IPv4 addresses (and an optional port number with
613 <code>:</code> as a separator) associated with this load balancer and
614 their corresponding endpoint IPv4 addresses (and optional port numbers
615 with <code>:</code> as separators) separated by commas. If
616 the destination IP address (and port number) of a packet leaving a
617 container or a VM matches the virtual IPv4 address (and port number)
618 provided here as a key, then OVN will statefully replace the
619 destination IP address by one of the provided IPv4 address (and port
620 number) in this map as a value. Examples for keys are "192.168.1.4"
621 and "172.16.1.8:80". Examples for value are "10.0.0.1, 10.0.0.2" and
622 "20.0.0.10:8800, 20.0.0.11:8800".
626 <column name="protocol">
628 Valid protocols are <code>tcp</code> or <code>udp</code>. This column
629 is useful when a port number is provided as part of the
630 <code>vips</code> column. If this column is empty and a port number
631 is provided as part of <code>vips</code> column, OVN assumes the
632 protocol to be <code>tcp</code>.
636 <group title="Common Columns">
637 <column name="external_ids">
638 See <em>External IDs</em> at the beginning of this document.
643 <table name="ACL" title="Access Control List (ACL) rule">
645 Each row in this table represents one ACL rule for a logical switch
646 that points to it through its <ref column="acls"/> column. The <ref
647 column="action"/> column for the highest-<ref column="priority"/>
648 matching row in this table determines a packet's treatment. If no row
649 matches, packets are allowed by default. (Default-deny treatment is
650 possible: add a rule with <ref column="priority"/> 0, <code>0</code> as
651 <ref column="match"/>, and <code>deny</code> as <ref column="action"/>.)
654 <column name="priority">
656 The ACL rule's priority. Rules with numerically higher priority
657 take precedence over those with lower. If two ACL rules with
658 the same priority both match, then the one actually applied to a
663 Return traffic from an <code>allow-related</code> flow is always
664 allowed and cannot be changed through an ACL.
668 <column name="direction">
669 <p>Direction of the traffic to which this rule should apply:</p>
672 <code>from-lport</code>: Used to implement filters on traffic
673 arriving from a logical port. These rules are applied to the
674 logical switch's ingress pipeline.
677 <code>to-lport</code>: Used to implement filters on traffic
678 forwarded to a logical port. These rules are applied to the
679 logical switch's egress pipeline.
684 <column name="match">
686 The packets that the ACL should match, in the same expression
687 language used for the <ref column="match" table="Logical_Flow"
688 db="OVN_Southbound"/> column in the OVN Southbound database's
689 <ref table="Logical_Flow" db="OVN_Southbound"/> table. The
690 <code>outport</code> logical port is only available in the
691 <code>to-lport</code> direction (the <code>inport</code> is
692 available in both directions).
696 By default all traffic is allowed. When writing a more
697 restrictive policy, it is important to remember to allow flows
698 such as ARP and IPv6 neighbor discovery packets.
702 Note that you can not create an ACL matching on a port with
707 Note that when <code>localnet</code> port exists in a lswitch, for
708 <code>to-lport</code> direction, the <code>inport</code> works only if
709 the <code>to-lport</code> is located on the same chassis as the
714 <column name="action">
715 <p>The action to take when the ACL rule matches:</p>
718 <code>allow</code>: Forward the packet.
722 <code>allow-related</code>: Forward the packet and related traffic
723 (e.g. inbound replies to an outbound connection).
727 <code>drop</code>: Silently drop the packet.
731 <code>reject</code>: Drop the packet, replying with a RST for TCP or
732 ICMP unreachable message for other IP-based protocols.
733 <code>Not implemented--currently treated as drop</code>
740 If set to <code>true</code>, packets that match the ACL will trigger a
741 log message on the transport node or nodes that perform ACL processing.
742 Logging may be combined with any <ref column="action"/>.
746 Logging is not yet implemented.
750 <group title="Common Columns">
751 <column name="external_ids">
752 See <em>External IDs</em> at the beginning of this document.
757 <table name="Logical_Router" title="L3 logical router">
759 Each row represents one L3 logical router.
764 A name for the logical router. This name has no special meaning or purpose
765 other than to provide convenience for human interaction with the ovn-nb
766 database. There is no requirement for the name to be unique. The
767 logical router's UUID should be used as the unique identifier.
771 <column name="ports">
775 <column name="static_routes">
776 One or more static routes for the router.
779 <column name="enabled">
780 This column is used to administratively set router state. If this column
781 is empty or is set to <code>true</code>, the router is enabled. If this
782 column is set to <code>false</code>, the router is disabled. A disabled
783 router has all ingress and egress traffic dropped.
787 One or more NAT rules for the router. NAT rules only work on the
791 <group title="Options">
793 Additional options for the logical router.
796 <column name="options" key="chassis">
798 If set, indicates that the logical router in question is a Gateway
799 router (which is centralized) and resides in the set chassis. The
800 same value is also used by <code>ovn-controller</code> to
801 uniquely identify the chassis in the OVN deployment and
802 comes from <code>external_ids:system-id</code> in the
803 <code>Open_vSwitch</code> table of Open_vSwitch database.
807 The Gateway router can only be connected to a distributed router
808 via a switch if SNAT and DNAT are to be configured in the Gateway
814 <group title="Common Columns">
815 <column name="external_ids">
816 See <em>External IDs</em> at the beginning of this document.
821 <table name="Logical_Router_Port" title="L3 logical router port">
823 A port within an L3 logical router.
827 Exactly one <ref table="Logical_Router"/> row must reference a given
833 A name for the logical router port.
837 In addition to provide convenience for human interaction with the
838 ovn-nb database, this column is used as reference by its patch port in
839 <ref table="Logical_Switch_Port"/> or another logical router port in
840 <ref table="Logical_Router_Port"/>.
844 <column name="networks">
846 The IP addresses and netmasks of the router. For example,
847 <code>192.168.0.1/24</code> indicates that the router's IP
848 address is 192.168.0.1 and that packets destined to
849 192.168.0.<var>x</var> should be routed to this port.
854 The Ethernet address that belongs to this router port.
857 <column name="enabled">
858 This column is used to administratively set port state. If this column
859 is empty or is set to <code>true</code>, the port is enabled. If this
860 column is set to <code>false</code>, the port is disabled. A disabled
861 port has all ingress and egress traffic dropped.
864 <group title="Attachment">
866 A given router port serves one of two purposes:
871 To attach a logical switch to a logical router. A logical router
872 port of this type is referenced by exactly one <ref
873 table="Logical_Switch_Port"/> of type <code>router</code>.
874 The value of <ref column="name"/> is set as
875 <code>router-port</code> in column <ref column="options"/> of
876 <ref table="Logical_Switch_Port"/>. In this case <ref
877 column="peer"/> column is empty.
881 To connect one logical router to another. This requires a pair of
882 logical router ports, each connected to a different router. Each
883 router port in the pair specifies the other in its <ref
884 column="peer"/> column. No <ref table="Logical_Switch"/> refers to
891 For a router port used to connect two logical routers, this
892 identifies the other router port in the pair by <ref column="name"/>.
896 For a router port attached to a logical switch, this column is empty.
901 <group title="Common Columns">
902 <column name="external_ids">
903 See <em>External IDs</em> at the beginning of this document.
908 <table name="Logical_Router_Static_Route" title="Logical router static routes">
910 Each record represents a static route.
913 <column name="ip_prefix">
915 IP prefix of this route (e.g. 192.168.100.0/24).
919 <column name="nexthop">
921 Nexthop IP address for this route. Nexthop IP address should be the IP
922 address of a connected router port or the IP address of a logical port.
926 <column name="output_port">
928 The name of the <ref table="Logical_Router_Port"/> via which the packet
929 needs to be sent out. This is optional and when not specified,
930 OVN will automatically figure this out based on the
931 <ref column="nexthop"/>.
936 <table name="NAT" title="NAT rules for a Gateway router.">
938 Each record represents a NAT rule in a Gateway router.
942 <p>Type of the NAT rule.</p>
945 When <ref column="type"/> is <code>dnat</code>, the externally
946 visible IP address <ref column="external_ip"/> is DNATted to the IP
947 address <ref column="logical_ip"/> in the logical space.
950 When <ref column="type"/> is <code>snat</code>, IP packets
951 with their source IP address that either matches the IP address
952 in <ref column="logical_ip"/> or is in the network provided by
953 <ref column="logical_ip"/> is SNATed into the IP address in
954 <ref column="external_ip"/>.
957 When <ref column="type"/> is <code>dnat_and_snat</code>, the
958 externally visible IP address <ref column="external_ip"/> is
959 DNATted to the IP address <ref column="logical_ip"/> in the
960 logical space. In addition, IP packets with the source IP
961 address that matches <ref column="logical_ip"/> is SNATed into
962 the IP address in <ref column="external_ip"/>.
967 <column name="external_ip">
971 <column name="logical_ip">
972 An IPv4 network (e.g 192.168.1.0/24) or an IPv4 address.
976 <table name="DHCP_Options" title="DHCP options">
978 OVN implements a native DHCPv4 support which caters to the common
979 use case of providing an IPv4 address to a booting instance by
980 providing stateless replies to DHCPv4 requests based on statically
981 configured address mappings. To do this it allows a short list of
982 DHCPv4 options to be configured and applied at each compute host
983 running ovn-controller.
988 The DHCPv4 options will be included if the logical port has the IPv4
989 address in this <ref column="cidr"/>.
993 <group title="DHCPv4 options">
995 CMS should define the set of DHCPv4 options as key/value pairs in the
996 <ref column="options"/> column of this table. For
997 <code>ovn-controller</code> to include these DHCPv4 options, the
998 <ref column="dhcpv4_options"/> of <ref table="Logical_Switch_Port"/>
999 should refer to an entry in this table.
1002 <group title="Mandatory DHCPv4 options">
1004 The following options must be defined.
1007 <column name="options" key="server_id">
1008 The IP address for the DHCP server to use. This should be in the
1009 subnet of the offered IP. This is also included in the DHCP offer as
1010 option 54, ``server identifier.''
1013 <column name="options" key="server_mac">
1014 The Ethernet address for the DHCP server to use.
1017 <column name="options" key="router">
1019 The IP address of a gateway for the client to use. This should be
1020 in the subnet of the offered IP. The DHCPv4 option code for this
1025 <column name="options" key="lease_time"
1026 type='{"type": "integer", "minInteger": 0, "maxInteger": 4294967295}'>
1028 The offered lease time in seconds,
1032 The DHCPv4 option code for this option is 51.
1037 <group title="IPv4 DHCP Options">
1039 Below are the supported DHCPv4 options whose values are an IPv4
1040 address, e.g. <code>192.168.1.1</code>. Some options accept multiple
1041 IPv4 addresses enclosed within curly braces, e.g. <code>{192.168.1.2,
1042 192.168.1.3}</code>. Please refer to RFC 2132 for more details on
1043 DHCPv4 options and their codes.
1046 <column name="options" key="netmask">
1048 The DHCPv4 option code for this option is 1.
1052 <column name="options" key="dns_server">
1054 The DHCPv4 option code for this option is 6.
1058 <column name="options" key="log_server">
1060 The DHCPv4 option code for this option is 7.
1064 <column name="options" key="lpr_server">
1066 The DHCPv4 option code for this option is 9.
1070 <column name="options" key="swap_server">
1072 The DHCPv4 option code for this option is 16.
1076 <column name="options" key="policy_filter">
1078 The DHCPv4 option code for this option is 21.
1082 <column name="options" key="router_solicitation">
1084 The DHCPv4 option code for this option is 32.
1088 <column name="options" key="nis_server">
1090 The DHCPv4 option code for this option is 41.
1094 <column name="options" key="ntp_server">
1096 The DHCPv4 option code for this option is 42.
1100 <column name="options" key="tftp_server">
1102 The DHCPv4 option code for this option is 66.
1106 <column name="options" key="classless_static_route">
1108 The DHCPv4 option code for this option is 121.
1112 This option can contain one or more static routes, each of which
1113 consists of a destination descriptor and the IP address of the
1114 router that should be used to reach that destination. Please see
1115 RFC 3442 for more details.
1119 Example: <code>{30.0.0.0/24,10.0.0.10, 0.0.0.0/0,10.0.0.1}</code>
1123 <column name="options" key="ms_classless_static_route">
1125 The DHCPv4 option code for this option is 249. This option is
1126 similar to <code>classless_static_route</code> supported by
1127 Microsoft Windows DHCPv4 clients.
1132 <group title="Boolean DHCP Options">
1134 These options accept a Boolean value, expressed as <code>0</code> for
1135 false or <code>1</code> for true.
1138 <column name="options" key="ip_forward_enable"
1139 type='{"type": "string", "enum": ["set", ["0", "1"]]}'>
1141 The DHCPv4 option code for this option is 19.
1145 <column name="options" key="router_discovery"
1146 type='{"type": "string", "enum": ["set", ["0", "1"]]}'>
1148 The DHCPv4 option code for this option is 31.
1152 <column name="options" key="ethernet_encap"
1153 type='{"type": "string", "enum": ["set", ["0", "1"]]}'>
1155 The DHCPv4 option code for this option is 36.
1160 <group title="Integer DHCP Options">
1162 These options accept a nonnegative integer value.
1165 <column name="options" key="default_ttl"
1166 type='{"type": "integer", "minInteger": 0, "maxInteger": 255}'>
1167 The DHCPv4 option code for this option is 23.
1170 <column name="options" key="tcp_ttl"
1171 type='{"type": "integer", "minInteger": 0, "maxInteger": 255}'>
1172 The DHCPv4 option code for this option is 37.
1175 <column name="options" key="mtu"
1176 type='{"type": "integer", "minInteger": 68, "maxInteger": 65535}'>
1177 The DHCPv4 option code for this option is 26.
1180 <column name="options" key="T1"
1181 type='{"type": "integer", "minInteger": 68, "maxInteger": 4294967295}'>
1182 This specifies the time interval from address assignment until the
1183 client begins trying to renew its address. The DHCPv4 option code
1184 for this option is 58.
1187 <column name="options" key="T2"
1188 type='{"type": "integer", "minInteger": 68, "maxInteger": 4294967295}'>
1189 This specifies the time interval from address assignment until the
1190 client begins trying to rebind its address. The DHCPv4 option code
1191 for this option is 59.
1196 <group title="Common Columns">
1197 <column name="external_ids">
1198 See <em>External IDs</em> at the beginning of this document.